CVE-2026-28269 MEDIUM

CVE-2026-28269: Kiteworks Core has an OS Command Injection

Vendor Kiteworks
Product security-advisories
Weakness CWE-78
Published February 26, 2026
Last update February 27, 2026

CVSS base score

5.9/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Kiteworks is a private data network (PDN). Prior to version 9.2.0, avulnerability in Kiteworks command execution functionality allows authenticated users to redirect command output to arbitrary file locations. This could be exploited to overwrite critical system files and gain elevated access. Version 9.2.0 contains a patch.

Key dates

02Disclosure timeline

February 26, 2026 CVE published
February 27, 2026 Record updated